The Information Commissioner’s Response to the Leveson Report on the Culture, Practices and Ethics of the Press The report of the Leveson Inquiry into the Culture, Practice and Ethics of the Press was always going to be of great interest to the Information Commissioner’s Office (ICO). After all, it was the Information Commissioner who took the lead in raising questions about the involvement of the press in the unlawful trade in personal data after ICO staff raided the home of the private investigator Steve Whittamore in 2003 - the start of what became known as Operation Motorman. Almost ten years on, the Inquiry’s conclusions are also of much significance for today’s ICO. Because, as well as tasking the judge with inquiring into the culture, practice and ethics of the press, the Inquiry’s terms of reference also directed him to “inquire into … the extent to which the current policy and regulatory framework has failed including in relation to data protection”. Part H of the Report, in particular, deals with the press and data protection. This includes a section setting out an analysis of Operation Motorman, a section on the ICO and the press today, and a section dealing with issues around the legal framework. It concludes with a series of recommendations for the ICO and for the Ministry of Justice (MoJ). While recognising some of the constraints placed on the ICO by the limitations of the legal framework for data protection and the resistance of the press to external regulation, there is no escaping the fact that Leveson is critical of the work of the ICO in so far as it involves regulation of the press. This criticism is focused on the response of the ICO to the illegality in the acquisition and use of personal information that was exposed by Operation Motorman, but it also relates to how the ICO has subsequently sought to engage operationally with the press. This document sets out the Information Commissioner’s response to the specific recommendations directed to the ICO and comments on the recommendations on changes to the legal framework directed to the MOJ. More generally, the ICO has heard the criticisms of its work made by the judge and is taking steps to address them. We are, for example, considering when and how we should set out proactively to notify victims 1 of data protection breaches who may not be aware that they are the subjects of such unlawful activity. We are also looking at how we might respond more effectively when we are faced with evidence of illegality in the acquisition and use of personal data requiring a response that is beyond the limited investigative and prosecution capabilities available to us through the use of our in house staff. We have set in train a process of carefully analysing those other aspects of our activities related to the regulation of the press that the report addresses to ensure that we learn lessons. Lord Justice Leveson’s report will also inform a review exercise we are undertaking over the next six months to ensure that the ICO keeps on the front foot and is as well placed as possible to meet the many challenges it will be facing over the next five years or so. It is, however, important to bear in mind that the bulk of the activity that was the subject of detailed analysis by the Leveson Inquiry took place between 2003 and 2007. Many changes to the ICO were taking place at that time and have continued since, led first by Richard Thomas and, from 2009, by Christopher Graham. The ICO is now a very different organisation from the one that was in place at the time of the Motorman investigation. The ICO was not asked about any of this at the Inquiry, which understandably focused on the role of the ICO in relation to the press rather than its wider regulatory remit. We are therefore glad to have this opportunity to set out how the ICO has been changing since the events described in the Leveson report. In 2003 the ICO had fewer than 200 staff. We now have more than 350. We have also reorganised our management structures and business processes at various points over the period. In 2005 we established a dedicated Regulatory Action Division with senior level leadership. We have since been given significant new enforcement powers, in particular the power to impose civil monetary penalties, which we are deploying effectively. As a consequence we have further expanded what is now our Enforcement Department. This has greatly strengthened our capability, competence and professionalism in all aspects of data protection enforcement. We have developed an enhanced enforcement tool kit, have become more willing to deploy the tools within it, and are increasingly prepared to take calculated risks across the whole range of our regulatory activities. In 2003 some commentators referred to the ICO as a ‘toothless tiger’. It is not a criticism we hear often these days. We have also strengthened our management controls. The head of our Enforcement Department, a former Detective Chief Inspector from Greater Manchester Police, reports directly to the Director of Operations who, as a member of the Commissioner’s Executive Team, provides regular updates on key enforcement issues. We have in place a system of regular reporting against business plans and against personal objectives as well as general oversight by an Information Rights Committee. In 2 addition to line management by the Director of Operations, the Head of Enforcement frequently updates the two Deputy Commissioners and the Commissioner himself on significant enforcement activity. The high profile that enforcement activity now enjoys, both externally and within the ICO, together with our strengthened management processes mean that significant enforcement decisions, such as those arising from Operation Motorman, are now taken more formally, command a greater degree of corporate ownership, and are comprehensively documented. One of the management controls that is already in place is a quarterly report to our Management Board on all significant information rights developments. The Management Board, which was first established by Richard Thomas, started work in February 2004 and was designed to strengthen the governance of the ICO. Membership includes four non- executives drawn from a variety of backgrounds, as well as the Commissioner and his four most senior executive staff. The Management Board meets quarterly. As well as leading the ICO’s Audit and Remuneration Committees, the non-executive members assist the ICO by bringing their wide ranging expertise to bear on its work generally and by taking an interest in particular strategic initiatives and projects. The Management Board approves the strategic direction of the ICO, signing off the Corporate Plan, holding the executive directors to account for performance against the Plan, and more generally providing oversight and challenge across the whole range of the ICO’s regulatory activities. The Management Board, as currently constituted, may fall short of Lord Justice Leveson’s suggestion of a Board of Commissioners, but its establishment and its working represent a significant step and perhaps address some of the limitations that come with the corporation sole single post holder model of governance. 3 Recommendations for the ICO The Information Commissioner’s Office should take immediate steps to prepare, adopt and publish a policy on the exercise of its formal regulatory functions in order to ensure that the press complies with the legal requirements of the data protection regime.1 The ICO accepts this recommendation. We are now in the process of revising our Data Protection Regulatory Action Policy so that it specifically addresses how we will use our regulatory powers to ensure that the press complies with the legal requirements of the data protection regime. At the time of the publication of Lord Justice Leveson’s Report, we had already endorsed and adopted the CPS Guidelines for Prosecutors on assessing the public interest in cases affecting the media, issued by the Director of Public Prosecutions in September 2012. We will incorporate these Guidelines into our revised Data Protection Regulatory Action Policy. We expect this policy to be published by the end of March 2013 and will ensure it is communicated effectively to both press interests and the wider public. In discharge of its functions and duties to promote good practice in areas of public concern, the Information Commissioner’s Office should take immediate steps, in consultation with the industry, to prepare and issue comprehensive good practice guidelines and advice on appropriate principles and standards to be observed by the press in the processing of personal data. This should be prepared and implemented within six months from the date of this Report.2 We recognise the need for the ICO to prepare this guidance, based on the DPA as it currently stands. We also recognise the importance of consultation with the press and broadcasting industry. We will take on board Lord Justice Leveson’s comments about who the ICO should engage with when consulting with the press. Though we will consult further on this, our initial proposal is to develop a Code of Practice under section 51(3) of the Data Protection Act. When we develop such a code we are required to consult trade associations and data subjects or persons representing data subjects on its contents. We will in any case work with the new press regulator to ensure there is the appropriate linkage with any new code of conduct drawn up by them. 1 Part H, Chapter 5, para 2.63 2 Part H, Chapter 5, para 2.71 4 The timescale set out is challenging but we will endeavour to meet it.
Details
-
File Typepdf
-
Upload Time-
-
Content LanguagesEnglish
-
Upload UserAnonymous/Not logged-in
-
File Pages20 Page
-
File Size-